introduction to it audit · 2008. 8. 15. · 3 ©2008 protiviti inc. this document is for your...

Introduction to IT Audit

January 23, 2008

2

©2008 Protiviti Inc.

This document is for your company’s internal use only and may not be distributed to any third party.

•Randy Roehm –Technology Risk Director

•Jason Brucker –Technology Risk Manager

•Zeb Buckner –Internal Audit Consultant

–[email protected]

•Darcie Allen –Denver HR & Recruiting Lead

Who W

e Are

3



Protiviti Overview

Consulting

–Finance Transformation

–Operational Risks

–IT Strategy Services

–Business Intelligence

–Enabling Technologies

–Governance Risks and

Controls

Internal Audit

–Internal Audit Start-Up

–Co-Sourcing

–Outsourcing

–Internal Audit Transformation

–Risk Assessment

Specialist firms:

•Responsive client

service

•Lack of SEC restrictions

•Independent from attest

& tax services

•Better teaming

•Focus on core offerings

Large Firm:

•Methodologies & tools

•Experienced

professionals

•Depth of consulting

services

•Financial stability

•Global presence

Protiviti combines the

strengths of the Big Four

and independent

alternatives…without

compromise

4



About Protiviti

•Client engagements vary in size: typically $75K

to several million.

•Protiviti's revenues for fiscal year 2006 were

over $0.5 billion.

•More than 3,000professionals worldwide.

•Wholly owned subsidiary of Robert Half

International Inc.

•Protiviti was listed as one of Businessweek’stop

100 places to start a career in 2006 and 2007.

5



*All logos used with client permission

Our clients include more than 20% of all Fortune 1000 companies;more than 25%

of all Fortune 500 companies; and more than35% of all Fortune 100 companies.*

Example Clients

6



Protiviti Locations

7



Definition of Internal Auditing

“Internal Auditing is an independent, objective

assurance

assuranceand consulting

consultingactivity designed to

add value

add valueand improve

improvean organization's

operations. It helps an organization accomplish

accomplish

its objectives

its objectivesby bringing a systematic,

disciplined approach to evaluate and improve the

improve the

effectiveness

effectivenessof risk management, control and

governance process.”

-The Institute of Internal Auditors

8



Definition of IT Audit

“Information Technology (IT) internal auditing

helps a company understand the key technology

technology

risks

risksand how well the company is mitigating and

mitigating and

controlling

controllingthose risks. IT internal audit also

provides insight into the threats inherent in today's

highly complex technologies. ”

-Protiviti IT Audit Services

9



Definition of Internal Control

“Internal control is a process, effected by an

entity’s board of directors, management and other

personnel, designed to provide reasonable

assurance regarding the achievement of [business]

objectives in the following categories:

•Effectiveness and efficiency of operations

•Reliability of financial reporting

•Compliance with applicable laws and

regulations.”

-Committee of Sponsoring Organizations (COSO)

10



Key Publications / Resources

•COSO

•COBIT

•ITIL

•Val IT

•ITPI

11



Internal Controls & Perform

ance

•Differentiating Factors –Top Performers vs. Medium Performers

–The activities that “sustain and continually improve their control systems”

–These are activities such as enforcing processes and consistent use of

other controls to proactively stabilize the IT environment

•Differentiating Factors –Medium Performers vs. Low Performers

–The activities that organizations use to “build their control systems”

–These are activities such as defining processes, roles and service levels

The IT Process Institute (ITPI) is a non-profit organization with the

mission to “advance IT management science through independent

research, benchmarking, and prescriptive guidance.”

12



Protiviti Tools

•Protiviti Technology Risk Model

•Process Classification Scheme

•Capability Maturity Model

•6 Elements of Infrastructure

•KnowledgeLeader

13



Protiviti Technology Risk Model

14



Process Classification Scheme (PCS)

4.1 Define IT Strategy & Organization

4.2 Manage Security & Privacy

4.3 Deploy & Maintain Solutions

4.4 Manage IT Infrastructure

4.5 Manage IT Assets

4.6 Support End Users

4.7 Ensure Continuity

4.4.1 Manage Data Center Operations

4.4.2 Manage Technical Infrastructure

4.4.3 Performance Planning/Monitoring

4.4.4 Project Management Risk

15



6 Elements of Infrastructure

Resulting Business Risk if component is deficient:

Process does not

achieve strategy

People cannot

perform process

Reports do not

provide information

for effective

management

Methodologies do

not adequately

analyze information

Information is

not available for

analysis and

reporting

Methodologies

Management

Reports

People &

Organizational

Structure

Business

Processes &

Controls

Business

Strategies and

Policies

Systems

and Data

The "6 Elements of Infrastructure"

•Describes the components needed to ensure quality & risk management

•Are generally designed from left to rightas shown above

•Each component contributes to the overall process maturity of each area

•Describes the "necessary ingredients" for mitigating risk to strategies the

business deems critical


Process does not

achieve strategy

People cannot

perform process

Reports do not

provide information

for effective

management

Methodologies do

not adequately

analyze information

Information is

not available for

analysis and

reporting


Process does not

achieve strategy

People cannot

perform process

Reports do not

provide information

for effective

management

Methodologies do

not adequately

analyze information

Information is

not available for

analysis and

reporting

Process does not

achieve strategy

Process does not

achieve strategy

People cannot

perform process

People cannot

perform process

Reports do not

provide information

for effective

management

Reports do not

provide information

for effective

management

Methodologies do

not adequately

analyze information

Methodologies do

not adequately

analyze information

Information is

not available for

analysis and

reporting

Information is

not available for

analysis and

reporting

Methodologies

Management

Reports

People &

Organizational

Structure

Business

Processes &

Controls

Business

Strategies and

Policies

Systems

and Data

Methodologies

Methodologies

Management

Reports

Management

Reports

People &

Organizational

Structure

People &

Organizational

Structure

Business

Processes &

Controls

Business

Processes &

Controls

Business

Strategies and

Policies

Business

Strategies and

Policies

Systems

and Data

Systems

and Data

The "6 Elements of Infrastructure"

•Describes the components needed to ensure quality & risk management

•Are generally designed from left to rightas shown above

•Each component contributes to the overall process maturity of each area

•Describes the "necessary ingredients" for mitigating risk to strategies the

business deems critical

16



Capability Maturity Model

17



KnowledgeLeader

•Overview of KnowledgeLeader (KL)

–Subscription based information website

•Free to students and professors

–Aids the Internal Auditor by providing

•Audit programs

•Checklists

•Tools

•Resources

•Best practices

–Risk management professionals can save time,

manage risk, and add value

–KL Demo at end of presentation (time permitting)

18



Entity

Level

Process/

Location/

Transaction/

Level

Plan and

Create

Infrastructure

Plan and

Create

Infrastructure

Understand

Analyze

Activity

Understand

Analyze

Activity

Set

Objectives

and Plan

Set

Objectives

and Plan

Identify and

Prioritize

Risks

Identify and

Prioritize

Risks

Identify

Controls and

Evaluate

Identify

Controls and

Evaluate

Test

Controls

Test

Controls

Report

Report

Monitor and

Follow-up

Monitor and

Follow-up

Create Overall

Internal Audit

Plan

Create Overall

Internal Audit

Plan

Add Value

Oversight

Insight

Foresight

Embrace IIA Standards

Attribute

Performance

Implementation

Practice Advisories

COSO ERM

CHANGE

Identify and

Assess

Risk

Control

Self Assessment

ENTITY

OBJECTIVES

Protiviti IA Methodology

Planning

Execution /

Field Work

Reporting

19



COSO ERM

C H A N G E

O B J E C T I V E S

Assess

Risk

Identify and

Assess

Risk

E N T I T Y

Entity

Level

Process/

Location/

Transaction/

Level

Create Overall

Internal Audit

Plan

Create Overall

Internal Audit

Plan

Plan and

Create

Infrastructure

Plan and

Create

Infrastructure

Understand

Analyze

Activity

Understand

Analyze

Activity

Set

Objectives

and Plan

Set

Objectives

and Plan

Identify and

Prioritize

Risks

Identify and

Prioritize

Risks

Identify

Controls and

Evaluate

Identify

Controls and

Evaluate

Test

Controls

Test

Controls

Report

Report

Monitor and

Follow-up

Monitor and

Follow-up

Control Self Assessment

Add Value

Oversight

Insight

Foresight


Attribute

Performance

Implementation

Practice Advisories

Audit Planning

Planning

20



Understand project environment, objectives, and scope. Identifyprocess best

practices. Identify information needed to carry out the audit.

A risk-based audit approach focuses an audit on significant risk areas,

efficiently utilizing resources to produce effective results that ultimately add

value to the client’s organization.Objective

Approach

Understand

and Analyze

Activity

Set Objectives

and Plan

Identify and

Prioritize Risks

Value

Audit Planning

21



Key Audit Planning Activities

•Conduct the planning meeting with the client to:

–Determine objectives and scope

–Understand the key risks (e.g., questionnaires)

–Request relevant background information /

documentation (e.g., past audit findings, org charts,

system diagrams, etc.)

•Create the planning and scoping memo

•Create work program

•Determine budget and resource allocation

•Send audit notification letters

Microsoft W

ord

Document

22



Key Planning Documents / Outputs

•Meeting notes / minutes

•Planning memo

•Work program

–Examples:

•IT General Controls

•IT Change management

•Disaster recovery

•Windows security

•Budget / staffing plan

•Notification letter

Mic

rosoft W

ord

Docum

ent

Mic

rosoft W

ord

Docum

ent

Mic

rosoft W

ord

Docum

ent

Mic

rosoft W

ord

Docum

ent

Mic

rosoft W

ord

Docum

ent

Mic

rosoft E

xcel

Work

sheet

23



COSO ERM

C H A N G E

O B J E C T I V E S

Assess

Risk

Identify and

Assess

Risk

E N T I T Y

Entity

Level

Process/

Location/

Transaction/

Level

Create Overall

Internal Audit

Plan

Create Overall

Internal Audit

Plan

Plan &

Create

Infrastructure

Plan &

Create

Infrastructure

Understand

Analyze

Activity

Understand

Analyze

Activity

Set

Objectives

and Plan

Set

Objectives

and Plan

Identify &

Prioritize

Risks

Identify &

Prioritize

Risks

Identify

Controls &

Evaluate

Identify

Controls &

Evaluate

Test

Controls

Test

Controls

Report

Report

Monitor &

Follow-up

Monitor &

Follow-up


Add Value

Oversight

Insight

Foresight


Attribute

Performance

Implementation

Practice Advisories

Execution / Field W

ork

Execution /

Field Work

24



Perform an evaluation to verify that, for each control objective/ risk,

controls are designed and operating effectively so there is reasonable

assurance that the risk is mitigated to an acceptable level.

Field work provides internal auditors with the opportunity to identify

findings and value added recommendations to the client. These form

the basis for well supported conclusions and recommendations.

Approach

Objective

Value

Develop Test

Plans for

Controls

Designed

Effectively

Identify

Relevant

Controls

Assess

Control

Design

Effectiveness

Evaluate

Control

Operating

Effectiveness

Execution / Field W

ork

25



Key Field W

ork Activities

•Gain a detailed understanding of the audited area

•Identify and document risks & controls:

–Determine control characteristics

–Populate a risk & control matrix (RCM)

•Evaluate control design effectiveness, including

linkage to control objectives / risks

•Identify testing steps to validate control operating

effectiveness

•Execute testing:

–Acquire and evaluate data / control evidence

–Create workpapers

–Document observations & findings

–Validate findings with auditee

26



Documenting Controls

•What-What does the control do? Is it

preventative or detective?

•How-How is the control performed? What

is the evidence?

•Who-Who performs the control? What is

their title?

•Why-What is the objective of the control?

•When-How frequently is the control

performed?

27



Characteristics of Effective Controls

•Relevant to the control objective / risk under

review

•Performed frequently enough

•Personnel performing them have adequate

knowledge and experience

•Appropriate segregation of duties exist

•Errors are identified and remediated in a timely

manner

•Reliable information is used to perform the

control

28



Relative Strength of Controls

Performed real time

Takes place later

100% Coverage

Uses Sampling

Transactional Level

High Level

Simple: one step

Complex: many steps

Preventative control

Detective control

Performed by senior

personnel

Performed by junior

personnel

Automated control

Manual control

Stronger

Weaker

29



Develop a Test Plan

•A well-developed test plan:

–Considers control objectives / risks and how controls

accomplish those objectives or mitigate the risks

–May test numerous controls

–Identifies the population, sample size, and sample

selection methodology for the test

–Describes each step the auditor is to perform

–Verifies the reports used for sample selection are

accurate and reliable

–Includes only effectively designed controls from the

RCM; ineffectively designed controls should be noted

as audit findings

30



Types of Tests

•Recalculating a bank

reconciliation, tracing back to

bank statements, and general

ledger balance

What & how. Details of items

tested. Level of detail must be

sufficient to support conclusion

and allow someone else to re-

perform your test.

The repetition of a control

performed by an employee

or a computer or system.

Re-

performance

Select a sample of contracts and

verify that key controls were

performed:

•Contract was signed (Validity)

•All key fields were completed

(Completeness)

Who, when & what. Details of

items tested. Level of detail must

be sufficient to support conclusion

and allow someone else to re-

perform your test.

The inspection of records,

documents,

reconciliations, and reports

for evidencethat a control

has been properly applied.

Inspection/

Examination

Automated: Observe all field edit

check works when invalid data

entered

Manual:Security of blank check

stock

Who, when & what was observed

Direct viewing of control

being performed

Observation

Interview key personnel to

understand the controls

surrounding a particular process

Who was interviewed, when the

interview took place and

information they provided

Ascertain whether a

control is in place by

asking specific oral or

written questions

Inquiry

Examples

Documentation Requirements

Explanation

Testing

Technique

31



Documenting Findings: The 5 C’s

Description of action necessary to correct

the condition

Corrective

Corrective

Action

Action

Explanation of what allowed the condition to

occur

Cause

Cause

Explanation of the significance or impact

Consequence

Consequence

Description of what should be

Criterion

Criterion

Statement of the issue

Condition

Condition

32



Example Issue W

rite-Up Statement

The system security administrators will

review and disable all developer “write”

access in production, and the VP of IT will

conduct monthly access reviews to verify no

developers have improperly obtained “write”

access to production.

Corrective Action

Corrective Action

Developer production access was not

reviewed and eliminated when the IT security

policy was implemented.

Cause

Cause

Unauthorized developer activity may

introduce unstable and/or malicious changes

to the production environment.

Consequence

Consequence

The corporate IT security policy dictates that

access should be granted according to “least

privilege”and developers should not have

“write”access to the production environment.

Criterion

Criterion

15% of the development team has “write”

access to the production environment.

Condition

Condition

33



Key Field W

ork Documents / Outputs

•Risk & control matrices (RCMs)

•Testing memoranda / lead sheets

•Workpapers / testing documentation:

–Data analyses (e.g., spreadsheets)

–Narratives / procedures

–Process maps

–System output (e.g., reports, log files)

•Issue tracker / testing summary

•Completed work program

Mic

rosoft E

xcel

Work

sheet

Mic

rosoft E

xcel

Work

sheet

Mic

rosoft W

ord

Docum

ent

Mic

rosoft E

xcel

Work

sheet

34



COSO ERM

C H A N G E

O B J E C T I V E S

Assess

Risk

Identify and

Assess

Risk

E N T I T Y

Entity

Level

Process/

Location/

Transaction/

Level

Create Overall

Internal Audit

Plan

Create Overall

Internal Audit

Plan

Plan &

Create

Infrastructure

Plan &

Create

Infrastructure

Understand

Analyze

Activity

Understand

Analyze

Activity

Set

Objectives

and Plan

Set

Objectives

and Plan

Identify &

Prioritize

Risks

Identify &

Prioritize

Risks

Identify

Controls &

Evaluate

Identify

Controls &

Evaluate

Test

Controls

Test

Controls

Report

Report

Monitor &

Follow-up

Monitor &

Follow-up


Add Value

Oversight

Insight

Foresight


Attribute

Performance

Implementation

Practice Advisories

Reporting

Reporting

35



Reporting O

bjective

Value

•Final Report

Objective

Approach

Value

High quality reporting is responsive to specific client needs and is well

supported by analysis and test procedure results. Internal audit reports provide

companies with a powerful mechanism for making decisions to improve their

ability to achieve business objectives.

Summarize and present issues, observations and value-added

recommendations based upon fieldwork, sound analysis and business judgment.

Determine which

issues to Report

Link Issues to

Objectives

Develop and

Present

Recommendations

36



Compelling Recommendations

•Actionable

•Supported with sufficient evidence

•Focused on the root cause

•Appropriate level of management is involved in issue

identification early on

•In line with client priorities and objectives

•Are items the client is ready or able to make changes

•Based on objective and accurate information

•May offer near-term and long-term solutions

Goal of our audit report:

To report facts in a manner that puts management in a

position to reach informed conclusions on their own

Mic

rosoft

Pow

erP

oin

t P

resenta

tion

37



•How can the process measurements and

controls be modified or enhanced?

•What are other companies doing (e.g.,

benchmarks, standards)?

•Are you missing out on some best practices?

•Where is this process going?

•Can it scale as the company grows?

•Will current controls be adequate in the future?

•What planned or future changes need to be

considered?

Adding Value with Recommendations

38



Q & A

Activity:

KnowledgeLeader Research

40



Knowledge Leader (KL)

41



KL –

Home Page

42



KL -Tools

43



KL -Publications

44



KL –

University Center

45



KL –

Standards & Training

46



•Objective:

•Give you the opportunity to perform advance

research on the accounts payable process on

KnowledgeLeader.

•Deliverables:

•Examples of planning and process documents

that you can utilize from KnowledgeLeader.

Activity –


47



Activity –


5 minutes

Class Group

Debrief Meeting

10 minutes

Table Group

1.Go to the KnowledgeLeader website,

knowledgeleader.com.

2.Identify six documents a consultant could use

to prepare for an Accounts Payable review.

Two of the six documents should be for the:

•planning stage (information gathering)

•process documentation stage (risk and

control analysis and process flowcharts/

narratives)

3.Each table should create a listing of

documents they found and indicate what

stage the documents could be used.

Approx. Time

Who/How

Tasks

48



Q & A

49

